Data breaches are happening more frequently than ever before, and their scale is growing as well. Even though preventing data loss is now a top priority of most organizations, many of them still rely on the rudimentary username and password approach to security, which has been proven time and time again to be insufficient against modern cybersecurity threats.
In fact, stolen and/or weak passwords have enabled 81% of hacking-related breaches according to Verizon’s Data Breach Investigations Report 2017. It’s clear that organizations can no longer trust passwords when it comes to protecting their and their customers’ private data. Fortunately, a suitable solution is not just already available, but it has also been successfully implemented by countless organizations of all sizes. We’re talking, of course, about two-factor authentication.
What Is Two-Factor Authentication?
Two-factor authentication, also known as 2FA, is a method of confirming a user identity using a combination of two different pieces of information. The information requested from the user may be something the user knows (such as a password or a PIN), something the user has (such as a credit card to a security token), or something the user is (such as the user’s fingerprint, facial pattern, or voice).
A good example of two-factor authentication that most people are instantly familiar with is the ATM withdrawal process. First, the ATM machine asks the person who wants to withdraw money from it to insert their credit or debit card (which is something the user has). After verifying the card, the ATM machine then asks for a PIN (something the user knows).
If it wasn’t for the second layer of authentication, criminals could simply steal someone’s card and withdraw all money from the associated bank account without anything standing in their way.
Two-factor authentication is sometimes used interchangeably with multi-factor authentication (MFA) even though it’s actually its subset because MFA encompasses all authentication methods that grant access only after two or more pieces of information are successfully presented.
Two-Factor Authentication Methods
There are many two-factor authentication methods in use today, but their popular differs wildly. According to a report published by Duo Security, a company responsible for popular cloud-based two-factor authentication services, SMS/text messages are by far the most popular two-factor authentication method, followed by dedicated authenticators, such as Google Authenticator. Only 9% of survey respondents were familiar with physical security tokens, and biometric authentication was even less popular.
However, organizations shouldn’t select a two-factor authentication method based on its popularity. Instead, they should carefully evaluate the pros and cons of each method and pick the one that is best suited for the particular use case.
- SMS/text messages: By far the biggest advantage of SMS/text messages as a two-factor authentication method is the fact that most users own a mobile phone and carry it with them almost all the time. This method tends to be easy to implement because all the information necessary is typically already recorded by the organization, namely users’ mobile phone numbers. For maximum security, it’s recommended to set the expiry time of the one-time PIN or password provided via an SMS/text message. However, even with a very short expiry time, there are many downfalls to using SMS/text messages as the second authentication factor. For example, a malicious actor can use a variety of techniques to transfer a victim’s phone number to their own SIM card, SMS messages with passwords can be intercepted through a flaw in the SS7 protocol, and there are also many SMS-stealing trojans that specifically target mobile devices.
- Dedicated authenticators: For the reasons described above, security experts now advocate the use of dedicated two-factor authenticator apps. In practice, dedicated authenticators work similarly to SMS/text messages, but they have to be installed separately by users themselves or the IT department. Today, there are many dedicated authenticators organizations can choose from, such as Duo, Google Authenticator, or Authy, so the cost of implementing this two-factor authentication method can be relatively low. Less technically inclined users may find dedicated authenticators somewhat difficult to use, but this depends largely on the chosen authenticator app.
- Physical security tokens: While typically considered the strongest two-factor authentication method by security professionals, physical security tokens are considerably less popular among users, who dislike having to carry a dedicated hardware device with them. As such, physical security tokens are best reserved for securing critical systems only.
- Biometric authentication: This two-factor authentication method uses biometric information, such as a voice or fingerprint, as the second piece of information. The biggest problem with biometric authentication is the fact that biometric information is not secret. In 2014, a hacker successfully faked a German minister’s fingerprints using photos of her hands, and it’s not difficult to imagine a similar attack used against an organization.
The Importance of Two-Factor Authentication
There’s a very good reason why a growing number of security experts are vocal about the importance of two-factor authentication: it works.
After becoming a repeated victim of sophisticated phishing scams, Google decided to give all 85,000 employees USB security keys to be used as a two-factor authentication method. Since then, Google hasn’t suffered a single employee-related phishing compromise.
“We have had no reported or confirmed account takeovers since implementing security keys at Google,” reported Google to security writer Brian Krebs. “Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time,” Google further explained.
In addition to offering reliable protection against phishing, identity fraud, brute-force attacks, and other popular cyberattacks, two-factor authentication is important for achieving compliance with certain regulations, such as the second Payment Services Directive, which requires strong customer authentication or the Homeland Security Presidential Directive 12 (HSPD-12) for Federal Employees and Contractors in the USA.
Two-factor authentication helps organizations of all sizes address the vulnerabilities of a standard password-only approaches, which is why it should be an essential part of every cybersecurity strategy. Today, there are many two-factor authentication methods to choose from, so each organization can easily select the one that best meets its needs. However, it’s important to keep in mind that no security method is 100% bulletproof, and two-factor authentication is no exception. It’s just another layer that makes it more difficult for cybercriminals to breach the perimeter and steal sensitive information, but its importance cannot be overstated.
Written by: Payam Pourkhomami, President & CEO, OSIbeyond